First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

You are here: Home / Finance and Accounting / A twist on risk appetite

By | 2 Minutes Read

A twist on risk appetite

risk appetite

The standard definition of risk appetite is “the amount of risk you are willing to take in the pursuit of objectives”.

That is not a clear explanation that is in plain business language and makes obvious business sense to everybody from the board room to the people in the trenches.

The primary problem is the idea that there is an “amount of risk”.

Ask a safety practitioner what is the amount of risk that should be taken that somebody might be killed or suffer a serious injury.

How do you calculate an “amount of risk” that spans not only the entire enterprise, but different sources of risk such as compliance, safety, customer relations, reputation, competitor, economic, cash flow, third and fourth-party, cyber, human capital, and so on?

How does a risk appetite statement enable people across the extended organization, at various levels, make the informed and intelligent decisions necessary to achieve objectives?

I think there is a better way that should be at least considered.

The twist is to ask:

How much am I willing to spend to ensure that the possibility of such and such happening and affecting my objectives (a range of effects or consequences and their likelihoods) is within my desired range?

For example, how much am I willing to spend to ensure that the possibility of a significant compliance failure is low enough to be acceptable – a risk I am willing to take?

How much am I willing to spend so that there is a less than a 5% likelihood, say, of a cyber breach that would cause major disruption that I value at $10 million?

How much am I willing to spend on customer relations or safety measures to ensure… and so on.

This is what executives have been doing for ages. It is how they run the business.

But first they need to know:

  • What might happen (a range of possible consequences)?
  • What is the likelihood of each level of consequence?
  • How would this affect the achievement of objectives and the success of the organization?
  • Should I take that risk?
  • What are my options and how would further investment change the possibilities (level and/or likelihood of the range of consequences)?
  • What would that cost and is it worth it?
  • What are the options for that cash or other resource (opportunity cost)?
  • How would a reduction (!) in spending change the possibilities?

We don’t think enough about the last point.

We also don’t think enough about whether we are getting a solid, acceptable ROI when we invest in addressing a source of risk.

What do you think? Is this better than trying to explain to top management and the board what “risk appetite” is and whether the organization is exceeding it (usually after the fact)?

Latest posts by Norman D. Marks, CPA, CRMA (see all)

Share with a friend or colleague

Get the Human Resources Advisor Free for 30 Days

Get the Latest Posts in your Inbox for Free!

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Reader Interactions

Leave a Reply

Your email address will not be published.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

Main Menu

Stay Connected